b'Department of Homeland Security\n   Of\xef\xac\x81ce of Inspector General\n\n\n                 Efforts to Identify Critical \n\n            Infrastructure Assets and Systems\n\n\n\n\n\nOIG-09-86                                     June 2009\n\x0c                                                               Office of Inspector General\n\n                                                               U.S. Department of Homeland Security\n                                                               Washington, DC 20528\n\n\n\n\n                                         June 30, 2009\n\n                                         Preface\n\nThe Department of Homeland Security (DHS) Office of Inspector General (OIG) was\nestablished by the Homeland Security Act of 2002 (Public Law 107-296) by amendment\nto the Inspector General Act of 1978. This is one of a series of audit, inspection, and\nspecial reports prepared as part of our oversight responsibilities to promote economy,\nefficiency, and effectiveness within the department.\n\nThis report addresses Department of Homeland Security identification and use of critical\ninfrastructure asset and systems data. We based our report on interviews with relevant\nagencies, direct observations, and a review of applicable documents and data.\n\nThe recommendations herein have been developed to the best knowledge available to our\noffice, and have been discussed in draft with those responsible for implementation. We\ntrust this report will result in more effective, efficient, and economical operations. We\nexpress our appreciation to all who contributed to the preparation of this report.\n\n\n\n                                     Richard L. Skinner \n\n                                     Inspector General \n\n\x0cTable of Contents/Abbreviations\nExecutive Summary .............................................................................................................1\n\n\nBackground ..........................................................................................................................2\n\n\nResults of Review ................................................................................................................5\n\n\n     The Infrastructure Information Collection System Is in the Early Stages of \n\n     Development ..................................................................................................................6 \n\n\n     The Prioritized Critical Infrastructure Lists Are the Primary Means Used to Identify \n\n     Critical Infrastructure.....................................................................................................9 \n\n\n     The Lists are Used in Grant Formulas, but Not by DHS Law Enforcement ...............25 \n\n\n     Status of DHS Reporting Requirements and Discretionary Consortium.....................31 \n\n\n     Major Changes to the Sector Partnership Model Are Not Needed..............................32 \n\n\n     Management Comments and OIG Analysis ................................................................32 \n\n\nAppendices\n     Appendix A:           Purpose, Scope, and Methodology.......................................................39 \n\n     Appendix B:           Management Comments to the Draft Report .......................................40 \n\n     Appendix C:           The Survey of Protective Security Advisors........................................43 \n\n     Appendix D:           Major Contributors to this Report........................................................46 \n\n     Appendix E:           Report Distribution ..............................................................................47 \n\n\x0cTable of Contents/Abbreviations \n\n\nAbbreviations\n  ACAMS         Automated Critical Asset Management System\n  CIKR          Critical Infrastructure/Key Resources\n  CIO           Chief Information Officer\n  DHS           Department of Homeland Security\n  DIB           Defense Industrial Base\n  EAB           Enterprise Architecture Board\n  FASCAT        Food and Agriculture Sector Criticality Assessment Tool\n  FEMA          Federal Emergency Management Agency\n  GAO           Government Accountability Office\n  HITRAC        Homeland Infrastructure Threat and Risk Analysis Center\n  ICE           Immigration and Customs Enforcement\n  IDW           Infrastructure Data Warehouse\n  IICS          Infrastructure Information Collection System\n  IP            Office of Infrastructure Protection\n  IRB           Investment Review Board\n  NADB          National Asset Database\n  NIAC          National Infrastructure Advisory Council\n  NII           National Infrastructure Index\n  NIPP          National Infrastructure Protection Plan\n  NISAC         National Infrastructure Simulation and Analysis Center\n  NPPD          National Protection and Programs Directorate\n  NSI           National Security Index\n  OIG           Office of Inspector General\n  PSA           Protective Security Advisor\n  SHSP          State Homeland Security Program\n  SSA           Sector Specific Agency\n  TSA           Transportation Security Administration\n  UASI          Urban Area Security Initiative\n\x0cOIG\n\nDepartment of Homeland Security\nOffice of Inspector General\n\nExecutive Summary\n                 This report fulfills a statutory requirement from Section 1001 of\n                 the Implementing Recommendations of the 9/11 Commission Act\n                 that requires the Office of Inspector General to review the\n                 Department of Homeland Security\xe2\x80\x99s (DHS) efforts to identify\n                 critical infrastructure. Efforts to catalog the nation\xe2\x80\x99s critical assets\n                 and systems are important steps to satisfying the departmental\n                 mission of securing the homeland. Our June 2006 report, Progress\n                 in Developing the National Asset Database (OIG-06-40),\n                 examined early DHS work in this area.\n\n                 The National Protection and Programs Directorate is in the process\n                 of acquiring the Infrastructure Information Collection System, a\n                 replacement for the National Asset Database. Staff in the\n                 directorate expressed several concerns about the acquisition\n                 process. Additional interaction between these staff experts and the\n                 Directorate of Management offers the possibility of greater\n                 cooperation in acquiring the new system and hiring employees.\n\n                 The primary means used to identify the nation\xe2\x80\x99s most critical assets\n                 and systems is the annual Prioritized Critical Infrastructure List\n                 process. The department works with public and private sector\n                 experts to create the two lists, which are designed to identify the\n                 nation\xe2\x80\x99s most critical assets and systems. The lists provide a\n                 reasonable means to fulfill statutory mandates, DHS critical\n                 infrastructure goals, and overall risk management activities. Public\n                 and private sector experts expressed appreciation for DHS efforts\n                 to work with partners throughout critical infrastructure\n                 identification efforts. We determined that some changes in this\n                 DHS effort would enhance efficiency, expand partnerships, and\n                 gain more resources to improve the process on an ongoing basis.\n\n                 We are making 10 recommendations to improve DHS efforts to\n                 identify and catalog critical infrastructure assets and systems.\n\n\n\n\n               Efforts to Identify Critical Infrastructure Assets and Systems\n\n                                          Page 1\n\x0cBackground\n\n                           DHS must work with an array of public and private sector\n                           stakeholders to identify the nation\xe2\x80\x99s critical infrastructure. This\n                           section describes DHS asset identification efforts and the\n                           partnership model established in the National Infrastructure\n                           Protection Plan (NIPP), which was revised in 2009. The NIPP lists\n                           DHS infrastructure protection goals.\n\n                  Overview of Asset Identification Efforts\n                           DHS is responsible for leading the national effort to identify and\n                           protect critical infrastructure. The National Strategy for Homeland\n                           Security specifies critical infrastructure and key resources (CIKR)\n                           protection as one of four DHS significant mission goals.1 Since\n                           1998, several policies and strategies have established the\n                           protection of the nation\xe2\x80\x99s CIKR as vital to securing the homeland.\n                           According to the NIPP, one of the initial steps to protect the\n                           nation\xe2\x80\x99s infrastructure is to \xe2\x80\x9cidentify assets, systems, networks, and\n                           functions.\xe2\x80\x9d2 Asset identification is an essential preliminary step to\n                           knowing the extent of the nation\xe2\x80\x99s CIKR for purposes of targeting\n                           grant funding and other efforts.\n\n                           Section 1001 of the Implementing Recommendations of the 9/11\n                           Commission Act of 2007 (hereinafter \xe2\x80\x9cThe Act\xe2\x80\x9d) mandates that\n                           DHS maintain and use a database to catalog the nation\xe2\x80\x99s critical\n                           infrastructure. We are required to review the department\xe2\x80\x99s\n                           implementation of Section 1001.3\n\n                           DHS is required to develop a comprehensive system that catalogs\n                           critical infrastructure and enhances CIKR protection.4 Previously,\n                           DHS inventoried assets, systems, networks, and functions through\n                           the National Asset Database (NADB). In June 2006, we reported\n                           that the NADB did not distinguish assets by criticality. The\n                           department countered with the assertion that the database was not\n                           intended to be a list of critical assets. The divergence of opinion\n\n\n\n\n1\n  Homeland Security Council, National Strategy for Homeland Security, October 2007, p. 1.\n2\n  Department of Homeland Security, National Infrastructure Protection Plan, 2006, p. 4.\n3\n  Implementing Recommendations of the 9/11 Commission Act of 2007 (P.L. 110-53), \xc2\xa7 1001.\n4\n  The National Strategy for the Physical Protection of Critical Infrastructures and Key Assets, February\n2003, p. 23.\n\n\n\n                        Efforts to Identify Critical Infrastructure Assets and Systems\n\n                                                   Page 2\n\x0c                          on the purpose of the NADB created confusion in Congress and\n                          the media.5\n\n                          DHS asset identification efforts must catalog systems or assets that\n                          would have \xe2\x80\x9ca negative or debilitating effect\xe2\x80\x9d on the United States\n                          if disrupted or attacked. The Prioritized Critical Infrastructure\n                          List, another asset cataloging instrument to identify the nation\xe2\x80\x99s\n                          most critical assets and systems, is also required.6 DHS is\n                          therefore charged to create both a general database of critical\n                          infrastructure and a list of the nation\xe2\x80\x99s most important assets and\n                          systems. DHS must report annually to Congress regarding\n                          progress and difficulties encountered in identifying and collecting\n                          CIKR information.\n\n                          DHS policy maintains that CIKR information repositories will\n                          inform decision making and specific response and recovery\n                          activities.7 Thus, any system to catalog national assets must\n                          provide a comprehensive overview of critical infrastructure. At the\n                          end of 2006, DHS discontinued operational use of the NADB. The\n                          DHS Office of Infrastructure Protection (IP) is now acquiring the\n                          Infrastructure Information Collection System (IICS). One\n                          component of the IICS is the Infrastructure Data Warehouse\n                          (IDW), which will replace the NADB. This new data system will\n                          allow relevant critical infrastructure partners from federal, state,\n                          local, and private entities to access various tools that house\n                          infrastructure data. The information in the IDW will help DHS\n                          conduct further risk analysis and meet the national data\n                          management requirements in Section 1001 of the Act. Our review\n                          focused on plans for the IDW and issues related to the procurement\n                          of the IICS. We did not conduct a detailed review of all planned\n                          components of the IICS.\n\n                          Because the IICS is still in development, the primary DHS effort to\n                          identify critical infrastructure is the annual National Critical\n                          Infrastructure Prioritization Program. Delays in acquiring the IDW\n                          have meant that the lists created under the Program are not yet part\n                          of a national database, as the Act requires. Through the use of\n                          established criteria, states and sector experts provide DHS with\n                          lists of the nation\xe2\x80\x99s most critical assets and systems.\n\n\n5\n  Congressional Research Service, Critical Infrastructures: Background, Policy, and Implementation,\n\nupdated October 10, 2008, p. 28\xe2\x80\x9329. \n\n6\n  P.L. 110-53, \xc2\xa7 1001(a)(1)(A). \n\n7\n  DHS, National Infrastructure Protection Plan, p. 155. \n\n\n\n\n                       Efforts to Identify Critical Infrastructure Assets and Systems\n\n                                                  Page 3\n\x0c         The Sector Partnership Model\n                The elements of the nation\xe2\x80\x99s CIKR are divided into 18 sectors.\n                Each sector has a federal agency, known as a Sector Specific\n                Agency (SSA), designated to coordinate work across the private\n                sector and all levels of government. The sectors and\n                corresponding SSAs are listed in Table 1.\n\nTable 1. Sectors and the Sector Specific Agencies\n Sector                               Sector Specific Agency\n Agriculture and Food                 Department of Agriculture and Department of Health\n                                      and Human Services\n Banking and Finance                  Department of the Treasury\n Chemical                             DHS, Office of Infrastructure Protection\n Commercial Facilities                DHS, Office of Infrastructure Protection\n Communications                       DHS, Office of Cyber Security and Communications\n Critical Manufacturing               DHS, Office of Infrastructure Protection\n Dams                                 DHS, Office of Infrastructure Protection\n Defense Industrial Base              Department of Defense\n Emergency Services                   DHS, Office of Infrastructure Protection\n Energy                               Department of Energy\n Government Facilities                DHS, Federal Protective Service\n Information Technology               DHS, Office of Cyber Security and Communications\n National Monuments and Icons         Department of Interior\n Nuclear                              DHS, Office of Infrastructure Protection\n Postal and Shipping                  DHS, Transportation Security Administration\n Public Health and Healthcare         Department of Health and Human Services\n Transportation                       DHS, Transportation Security Administration and\n                                      Coast Guard\n Water                                Environmental Protection Agency\n\n                DHS has created a sector partnership model designed to ensure\n                communication between DHS, the SSAs, other federal agencies,\n                state and local officials, and the private sector. The partners are as\n                follows:\n\n                     \xe2\x80\xa2    Five DHS agencies that serve as SSAs;\n                     \xe2\x80\xa2    Seven non-DHS SSAs;\n                     \xe2\x80\xa2    State, local, and tribal governments; and\n                     \xe2\x80\xa2    The private sector.\n\n                Each sector operates a Government Coordinating Council, which\n                includes public sector representatives who work with DHS. Sector\n                Coordinating Councils ensure that DHS receives input from asset\n                owners and trade associations. The Councils assess actions taken\n                to identify CIKR and improve the protected status of assets and\n\n\n\n\n              Efforts to Identify Critical Infrastructure Assets and Systems\n\n                                         Page 4\n\x0c                            systems.8 Protective Security Advisors (PSAs) are DHS\xe2\x80\x99s field-\n                            deployed infrastructure protection experts who interact and\n                            coordinate with Federal, State, local, territorial and tribal\n                            organizations and the private sector to assess and enhance the\n                            security of CIKR. There are currently 92 PSAs in all 50 States and\n                            Puerto Rico.\n\n                            DHS has the overall responsibility to \xe2\x80\x9clead, integrate, and\n                            coordinate\xe2\x80\x9d national critical infrastructure protection efforts.9\n                            Within DHS, IP is charged to carry out this mission. To\n                            accomplish this, IP must work with its CIKR partners, as described\n                            in the National Strategy for Homeland Security:\n\n                                \xe2\x80\x9cWhile the Federal Government provides overarching\n                                leadership and coordination for protecting and mitigating\n                                vulnerabilities of our Nation\xe2\x80\x99s CIKR, all partners have\n                                important roles to play.\xe2\x80\x9d 10\n\n                            IP recognizes that identification and prioritization of the nation\xe2\x80\x99s\n                            CIKR depends on the contributions and cooperation of its public\n                            and private sector stakeholders. The private sector, which owns\n                            most key assets and systems, has a vital role. Each SSA has\n                            unique knowledge and expertise. State, local, and tribal\n                            governments are also important partners.11\n\n\nResults of Review\n                  The plans for the IDW and the existing National Critical Infrastructure\n                  Prioritization Program are reasonable efforts to meet statutory\n                  requirements for identification of the nation\xe2\x80\x99s most critical infrastructure.\n                  DHS, however, is in the early stages of acquiring the IDW. As a result,\n                  the primary DHS effort to identify assets and systems is the annual lists of\n                  the nation\xe2\x80\x99s most critical infrastructure. The lists guide DHS grant\n                  allocation decisions and other risk management activities. IP has shown\n                  commendable interest in ongoing improvement to the list process. Our\n                  recommendations focus on ways IP could improve the identification of\n                  CIKR, increase partner participation, and obtain additional resources to\n                  enhance asset and system identification efforts.\n\n\n8\n  DHS, National Infrastructure Protection Plan, chapter 4. \n\n9\n  Homeland Security Presidential Directive 7, \xe2\x80\x9cCritical Infrastructure Identification, Prioritization and \n\nProtection,\xe2\x80\x9d June 17, 2004. \n\n10\n   The Homeland Security Council, National Strategy for Homeland Security, October 2007, p. 28. \n\n11\n   DHS, National Infrastructure Protection Plan, chapter 2.\n\n\n\n\n                         Efforts to Identify Critical Infrastructure Assets and Systems\n\n                                                    Page 5\n\x0cThe Infrastructure Information Collection System Is in the Early\nStages of Development\n     In September 2006, DHS leadership decided to suspend use of the NADB.\n     IP staff stated that the database needed a variety of dynamic functions.\n     The NADB was a static list of assets that did not link to mapping or\n     analytical tools, which enhance a user\xe2\x80\x99s understanding of an asset and the\n     effects of attacks or disruptions. As a replacement, DHS is acquiring the\n     IDW, part of the IICS. The IDW will allow DHS and its CIKR partners to\n     access a range of existing critical infrastructure information data sources\n     more easily. DHS believes that the IDW will allow more rapid risk\n     management across the infrastructure sectors, with the added advantage of\n     decreased data maintenance costs and inefficiencies.\n\n     IP staff said that IICS will provide needed enhancements. As part of the\n     IICS, the IDW would provide a single virtual view of one or more\n     infrastructure data sources. The static nature of the NADB platform did\n     not allow for such functionality. Experts in IP said that the integration of\n     various data sources will be the prominent benefit of the IDW compared to\n     the NADB. The IDW will offer users more information and provide\n     benefits that will include a prompt means to assess natural or intentional\n     disasters. DHS staff views the IDW as a significant restructuring of DHS\n     CIKR identification activities.\n\n     DHS has identified four capability gaps in current critical infrastructure\n     risk management. These gaps are the need for\n\n        1.   Accessible and quantifiable risk-related information;\n        2.   Data standards to ensure consistent data;\n        3.   Common information collection and maintenance processes; and\n        4.   Information fusion to enable current and complete analysis.\n\n     The department\xe2\x80\x99s May 2008 Report to Congress stated that these gaps\n     restrict cross-sector and national risk analysis that use geographic data and\n     other sources. The IDW is expected to diminish or eliminate these gaps.\n\n     Because the IDW is not fully developed, the Automated Critical Asset\n     Management System (ACAMS) currently contributes to critical\n     infrastructure asset identification. IP staff describes ACAMS as \xe2\x80\x9cthe most\n     mature operational information collection tool\xe2\x80\x9d in use. ACAMS will be\n     the \xe2\x80\x9ccornerstone\xe2\x80\x9d of the IICS. A growing number of states and territories\n     use ACAMS to collect infrastructure information and catalog assets.\n     Although we noted difference of opinion among state officials, ACAMS is\n     generally seen as a helpful tool to identify assets, gain further information\n\n\n\n          Efforts to Identify Critical Infrastructure Assets and Systems\n\n                                     Page 6\n\x0c                about important sites, and target protective measures. We were informed\n                of problems with inconsistent ACAMS data submission across states. We\n                view these inconsistencies as inherent to a national process that focuses on\n                submissions from 56 state and territorial governments.\n\n                Although ACAMS currently collects infrastructure information, IP\n                officials have been frustrated with difficulties in hiring new employees\n                and acquiring the IDW as part of the IICS. IP officials argue that the\n                Directorate of Management\xe2\x80\x99s oversight requirements and evolving\n                guidance contributed to problems with the IICS effort. IP staff said that\n                these issues impede project management and prevent mission\n                accomplishment. An IP manager lamented that the \xe2\x80\x9ccentralized planning,\n                centralized execution\xe2\x80\x9d paradigm hinders IP\xe2\x80\x99s ability to attract employees\n                and efficiently procure technology.\n\n                IP management provided timelines and other information to illustrate\n                concerns related to personnel security processing and the hiring process.\n                IP staff noted that hiring delays have hindered development of the IDW.\n                National Protection and Programs Directorate (NPPD) components such\n                as IP rely on the department\xe2\x80\x99s Personnel Security Division for these\n                functions. IP managers found the process frustrating and burdensome,\n                from the time required to bring new staff on board to the transfer of\n                security information for employees who already hold clearances. We did\n                not analyze the directorate\xe2\x80\x99s personnel security issues for this report.\n                However, our office recently reviewed the department\xe2\x80\x99s overall personnel\n                security practices.12 That report included various recommendations\n                designed to improve overall efficiency and help DHS components add\n                staff more expeditiously.\n\n                We received data from NPPD regarding the information technology\n                acquisition process. Along with the Government Accountability Office\n                (GAO), we have identified problems with the DHS acquisition function.13\n                With extremely challenging and critical missions, DHS faces inherent\n                procurement difficulties across varied components. The Office of\n                Procurement Oversight division that covers NPPD had only 11 staff, yet\n                was involved in more than 500 procurement requests in FY 2008.\n\n                IP staff had concerns with the department\xe2\x80\x99s Enterprise Architecture Board\n                (EAB) and Investment Review Board (IRB). The EAB and IRB acquire\n                key portions of DHS information technology. The primary purpose of the\n\n12\n  DHS OIG, The DHS Personnel Security Process, OIG-09-65, May 2009. \n\n13\n  GAO, Department of Homeland Security: A Strategic Approach Is Needed to Better Ensure the \n\nAcquisition Workforce Can Meet Mission Needs, GAO-09-30, November 2008; GAO, Progress and \n\nChallenges in Implementing the Department\xe2\x80\x99s Acquisition Oversight Plan, GAO-07-900, June 2007. \n\n\n\n\n                       Efforts to Identify Critical Infrastructure Assets and Systems\n\n                                                  Page 7\n\x0c                EAB is to ensure that component IT projects align with DHS missions and\n                do not duplicate existing functions. The EAB also works to eliminate\n                duplicative purchases. The IRB is composed of senior officials from DHS\n                components who review major department investments.\n\n                In a July 2004 report, we highlighted concerns with these DHS boards.14\n                We determined that the EAB does not provide a venue for including\n                business perspectives on IT decisions, while the IRB postponed or\n                cancelled 12 of 21 meetings. The IRB included high-level membership\n                with competing priorities that had no sense of urgency. GAO also has\n                reported problems that continue to diminish the effectiveness of the IRB.15\n\n                We concluded that the DHS Chief Information Officer (CIO) has been\n                unable to \xe2\x80\x9censure that major IT investment reviews are conducted in a\n                timely manner.\xe2\x80\x9d16 In September 2008, we reported that the DHS CIO is\n                now \xe2\x80\x9cbetter positioned to meet the department\xe2\x80\x99s IT challenges.\xe2\x80\x9d The\n                report noted that the DHS CIO had an enhanced ability to oversee the\n                investment review process. Refinements to the IRB and the applicable\n                DHS Management Directive were also ongoing. Challenges remain,\n                including CIO staffing shortages, limited CIO authority, and general\n                acquisition review weaknesses.17\n\n                IP managers believe that problems with DHS oversight boards have\n                affected the development of the IICS. Officials in the Directorate of\n                Management have recognized problems with DHS IT acquisition\n                oversight and procurement limitations. However, Directorate of\n                Management officials said that oversight is needed to ensure that\n                components\xe2\x80\x99 decisions do not adversely impact DHS missions. A recent\n                GAO report on investment management recommended that DHS ensure\n                that \xe2\x80\x9ccomponents have established processes to manage major investments\n                consistent with departmental policies.\xe2\x80\x9d18\n\n                Directorate of Management staff noted that NPPD has experienced\n                difficulties in its IT management, including a year-long vacancy in the\n                NPPD CIO position, which was filled in October 2008. Moreover, NPPD\n\n14\n   DHS OIG, Improvements Needed to DHS\xe2\x80\x99 Information Technology Management Structure, OIG-04-30, \n\nJuly 2004.\n\n15\n   GAO, Department of Homeland Security: Billions Invested in Major Programs Lack Appropriate \n\nOversight, GAO-09-29, November 2008. \n\n16\n   DHS OIG, Improvements Needed to DHS\xe2\x80\x99 Information Technology Management Structure, OIG-04-30, \n\nJuly 2004.\n\n17\n   DHS OIG, Progress Made In Strengthening DHS Information Technology Management, But Challenges \n\nRemain, OIG-08-91, September 2008. \n\n18\n   GAO-09-29, Department of Homeland Security: Billions Invested in Major Programs Lack Appropriate \n\nOversight November 2008, p. 32. \n\n\n\n\n                      Efforts to Identify Critical Infrastructure Assets and Systems \n\n\n                                                  Page 8 \n\n\x0c      has faced reorganizations and staffing problems. A Directorate of\n      Management review of the IICS was completed in November 2007. This\n      review cited significant planning, staffing, and program execution issues.\n      IP officials responded that many of the deficiencies were outside the\n      office\xe2\x80\x99s control, but corrective actions were continuing. Based on\n      information obtained from DHS enterprise architecture and procurement\n      managers, we concluded that NPPD has made a good faith effort to fulfill\n      acquisition process mandates.\n\n      During fieldwork, we learned that the IP plans for the IDW are not well\n      understood. The Director of Management\xe2\x80\x99s procurement chief in charge\n      of NPPD acquisitions had not seen the IDW referenced before we\n      contacted the office. Also, the department\xe2\x80\x99s security partners in the\n      sectors and states have limited understanding of DHS goals for the IDW or\n      how the new system will improve infrastructure risk management.\n      Several sector experts were unfamiliar with the IDW concept, or first\n      heard about plans for the IDW when IP managers asked SSAs to comment\n      on IP\xe2\x80\x99s May 2008 Report to Congress.\n\n      The NADB has not been used as an operational system for more than\n      2 years; minimal progress has been made to finalize a more dynamic\n      replacement. The new NPPD CIO should make the IICS acquisition\n      process a priority. Assistance from the Directorate of Management would\n      facilitate the NPPD CIO\xe2\x80\x99s efforts. Expanded leadership involvement\n      could also explore solutions to IP\xe2\x80\x99s hiring problems. The IDW has the\n      potential to enhance critical infrastructure protection, one of the\n      department\xe2\x80\x99s strategic goals. Improved interaction between NPPD and the\n      Directorate of Management is necessary to ensure that the IDW is\n      procured in a way that meets departmental goals and satisfies the statutory\n      requirement to catalog critical infrastructure.\n\n      We recommend that the Under Secretary for National Protection and\n      Programs and the Under Secretary for Management:\n\n             Recommendation #1: Complete the acquisition process for the\n             Infrastructure Information Collection System.\n\nThe Prioritized Critical Infrastructure Lists Are the Primary\nMeans Used to Identify Critical Infrastructure\n             Purpose of the List Process\n\n             The IDW is envisioned as the primary forum for information about\n             infrastructure assets and systems. DHS also works to identify\n\n\n\n           Efforts to Identify Critical Infrastructure Assets and Systems \n\n\n                                       Page 9 \n\n\x0c  assets and systems that are deemed nationally critical through the\n  National Critical Infrastructure Prioritization Program. Through\n  work with states and the sectors, DHS creates the two lists of the\n  most nationally significant infrastructure. These two lists are used\n  for State Homeland Security Program and the Urban Area Security\n  Initiative grant allocations. Additionally, the process is used to\n  identify assets eligible for the Buffer Zone Protection Program\n  (BZPP). This program is designed to increase security in the area\n  outside a facility that can be used to conduct surveillance or launch\n  an attack. Public and private sector security partners can also use\n  the lists to prioritize infrastructure protection resources and\n  conduct planning and coordination efforts.\n\n  The process, which is managed by the Homeland Infrastructure\n  Threat and Risk Analysis Center (HITRAC), began in 2006.\n  Successful interaction with states and the infrastructure sectors is a\n  vital component of the process. Criticality criteria generated by\n  the sectors and states, along with IP-produced consequence-based\n  criticality thresholds, identifies the nation\xe2\x80\x99s most critical\n  infrastructure. Because the criteria guide sector and state\n  submissions of assets and systems, noncritical assets are less likely\n  to be submitted. Critical infrastructure partners use the criteria to\n  compile asset and systems information for each sector. Each year,\n  the IP Assistant Secretary gives final approval of the lists.\n\n  Because the Act requires that the lists be part of the larger asset\n  database, IP officials said that the lists will become part of the\n  IDW. The process to create the lists is logically organized, with\n  DHS partners seeing ongoing improvements in DHS\xe2\x80\x99 management\n  of the lists. With some recommended improvements, the lists can\n  provide additional support for CIKR identification, protection, and\n  incident management efforts.\n\n  List Development\n\n  We reviewed information related to the lists for fiscal years 2006\n  to 2009. Significant changes were made for the 2009 process.\n  One constant is that only two lists identify the nation\xe2\x80\x99s most\n  critical assets and systems. These lists address the statutory\n  requirement of a focus on prioritized critical infrastructure. The\n  \xe2\x80\x9cType 1\xe2\x80\x9d list includes infrastructure that if disrupted would have\n  the highest consequence to the nation. A larger \xe2\x80\x9cType 2\xe2\x80\x9d list\n  includes all CIKR on the \xe2\x80\x9cType 1\xe2\x80\x9d list and additional CIKR that if\n  disrupted would have nationally significant consequences.\n  According to IP officials, attacks against assets and systems on the\n\n\nEfforts to Identify Critical Infrastructure Assets and Systems \n\n\n                           Page 10 \n\n\x0c  Type 1 list could have catastrophic national consequences. Attacks\n  on assets on the Type 2 list would have nationally significant\n  consequences. Our field work was based partners\xe2\x80\x99 impressions of\n  the process prior to 2009, but we have included a description of the\n  new process.\n\n  The 2009 process includes several enhancements. First, the two\n  lists of nationally critical infrastructure are now completely based\n  on consequence, rather than data such as asset size or seating\n  capacity. Second, the concept of \xe2\x80\x9ccritical clusters\xe2\x80\x9d has been\n  introduced. This change identifies groups of related infrastructure\n  that could be impacted by a single hazard. A cluster could rise to\n  the level of national criticality, which would lead to inclusion of\n  the group on either list of prioritized critical infrastructure. Third,\n  additional lists will augment risk management and response\n  planning. Each of the 18 sectors will have distinct lists of critical\n  infrastructure that will determine assets and systems vital to each\n  sector\xe2\x80\x99s national or regional missions. Individual states and\n  territories may now also create specific criteria and lists of critical\n  assets and systems. Both the new sector and state lists are for\n  infrastructure not deemed critical enough for inclusion in the Type\n  1 and Type 2 lists. Thus, assets and systems that only appear on\n  state or sector lists are not part of the two lists that include\n  nationally critical assets or systems.\n\n  The 2009 process includes three phases: criteria development; a\n  data call for partners to submit asset and systems and nominations\n  of nationally critical infrastructure; and IP adjudication and\n  reconsideration of partner list nominations. The reconsideration\n  process grants partners the opportunity to question why IP made\n  particular decisions regarding the exclusion of assets or systems\n  that had been recommended for inclusion. Through\n  reconsideration, HITRAC has shown commendable interest in\n  ensuring that partners understand why decisions are made\n  regarding the particular assets and systems on the lists. This\n  should address a concern that state officials expressed to us\n  regarding the previous process. Many states suggested to us that\n  more information was needed on why IP made specific decisions\n  to include to not include assets on the final lists.\n\n  IP has made other process improvements. Apart from extending\n  timelines for information requests, IP also expanded partner\n  involvement in sector criteria development, and made process\n  changes to the vetting of asset and systems data.\n\n\n\nEfforts to Identify Critical Infrastructure Assets and Systems\n\n                           Page 11\n\x0c  The movement toward consequence-based criteria for nationally\n  critical assets and systems is expected to improve the stability of\n  the lists, which will enhance long-term risk management.\n\n  Criticality Criteria Show Improvement, With Need for More\n  Consequence Analysis\n\n  For FY 2009, DHS moved to consequence-based criteria for the\n  two lists of nationally critical infrastructure. This change was\n  made in collaboration with the National Infrastructure Simulation\n  and Analysis Center (NISAC). During our fieldwork, we\n  compared the criticality criteria and accompanying guidance\n  provided to partners for the FY 2006 to FY 2008 lists. Our\n  analysis showed that sector-specific criticality criteria had been\n  improving each year. In FY 2006, sector criteria were vague and\n  criticality thresholds undefined. Additionally, capacity thresholds\n  in some sectors fluctuated every year. With ongoing refinements,\n  the criticality criteria have been better able to guide states and\n  sectors in determining the most critical assets. DHS guidance for\n  the process also showed improvements by increasing specificity\n  and providing incident scenarios, specifying terms and definitions,\n  and identifying asset and system restoration times as an element of\n  criteria. All of this information helped partners understand what\n  would make an asset or system rise to the level of national\n  criticality. Ambiguous criteria make it difficult for state and sector\n  experts to identify assets that are truly critical.\n\n  Although criteria changes have frustrated some partners, many\n  states and sectors appreciated that DHS continues to make\n  improvements. State representatives were encouraged by national\n  efforts and believed that DHS is trying to close the gap of\n  understanding through more explicit guidance. One state\n  representative said the criteria are a \xe2\x80\x9cmoving target\xe2\x80\x9d but\n  acknowledged that the program can improve as a result. A\n  Communications Sector expert said that DHS has \xe2\x80\x9cgotten better\xe2\x80\x9d\n  on the creation and the revision of criticality criteria. These\n  changes will help create the state lists and lists for each of the 18\n  different CIKR sectors.\n\n  Even with these improvements, understanding differences in\n  criticality across sectors is an inherent challenge. Also, some\n  sector and state experts said that certain criteria are difficult to\n  measure. For example, economic loss is a criterion for various\n  sectors, but existing models do not make it easy to assess the\n  expected level of such loss from an attack or disruption. A dam\n\n\nEfforts to Identify Critical Infrastructure Assets and Systems\n\n                           Page 12\n\x0c                           safety expert also noted that states have various levels of expertise\n                           in completing inundation maps, tools used to predict the outcome\n                           of adverse flooding events, which is an important part of the\n                           sector\xe2\x80\x99s criteria.\n\n                           HITRAC management said that certain criteria lacked specificity,\n                           which was a primary reason for the move toward criteria based\n                           solely on consequence in 2009. As one DHS expert noted,\n                           capacity measures such as building size, bridge length, or daily\n                           production are not necessarily appropriate measures of\n                           consequence. DHS continues to work on more specific and\n                           meaningful criteria to assist partners identify critical assets and\n                           systems.\n\n                           Criticality criteria can be enhanced through an expansion of the\n                           department\xe2\x80\x99s consequence analysis, which examines the effect of\n                           possible terrorist attacks or natural disasters. Such work can hone\n                           existing criticality criteria and create lists that are more consistent\n                           across states and focused on assets and systems of the highest\n                           consequence. NISAC is a primary DHS entity involved in sector\n                           and cross-sector analysis. Certain sectors, states, and entities also\n                           analyze consequences of terrorist attacks or disasters.\n\n                           A prominent example of NISAC\xe2\x80\x99s modeling work occurred prior\n                           to Hurricane Katrina. In a 41-page report, NISAC predicted that a\n                           major hurricane would cause extensive damage to New Orleans,\n                           with large numbers of casualties and extended disruption of\n                           regional and national critical infrastructure.19 As a result of this\n                           prescient analysis, the lessons-learned report produced after\n                           Hurricane Katrina recommended that DHS expand NISAC\xe2\x80\x99s\n                           modeling capabilities, including further work on the economic\n                           consequence of disasters. More resources for such efforts were\n                           vital, the report noted, because governments do not have a\n                           comprehensive understanding of the interdependencies of critical\n                           infrastructure. The report stressed the continued importance of\n                           intergovernmental cooperation in modeling and consequence\n                           analysis. Specifically, DHS was asked to share all NISAC work\n                           with SSAs. Some sector experts told us that DHS can improve the\n                           amount of information that the department provides regarding\n                           NISAC\xe2\x80\x99s current analysis of the various infrastructure sectors.20\n\n\n\n19\n     \xe2\x80\x9cWhite House Got Early Warning on Katrina,\xe2\x80\x9d Washington Post, January 24, 2006, p. A02.\n20\n     The Federal Response to Hurricane Katrina: Lessons Learned, February 2006, p. 61, 110-112.\n\n\n\n                         Efforts to Identify Critical Infrastructure Assets and Systems\n\n                                                    Page 13\n\x0c                          Each sector\xe2\x80\x99s annual reports have identified ambitious modeling\n                          and consequence analysis aspirations. The Transportation Sector\xe2\x80\x99s\n                          report identified a need to understand how adverse events affect\n                          the transportation network, because significant work remains to\n                          identify assets and systems. According to Emergency Services\n                          Sector officials, modeling would help position resources, enhance\n                          the timeliness of first responders, and determine the effects of\n                          pandemic influenza on the sector\xe2\x80\x99s workforce. The identification\n                          of interdependencies through consequence analysis is a common\n                          theme in several sectors\xe2\x80\x99 modeling plans.\n\n                          DHS recognizes the need for greater understanding of\n                          consequence. Even after the recommendation in the Katrina\n                          lessons-learned report, however, NISAC funding has been subject\n                          to debate between the executive and legislative branches. With\n                          more consistent and predictable funding, NISAC would be able to\n                          augment the DHS effort to identify critical infrastructure. Because\n                          the Science & Technology Directorate and the Federal Emergency\n                          Management Agency (FEMA) also engage in modeling,\n                          coordination with other parts of the department would be desirable.\n                          A recent National Infrastructure Advisory Council (NIAC) report\n                          recommended that new modeling efforts focus on a better\n                          understanding of sector interdependencies.21 This sensible\n                          approach would augment the ability of DHS to see how a\n                          disruption of one sector affects others. With enhanced\n                          consequence analysis, coordinated with the SSAs, DHS would\n                          continue to improve its criteria and enhance the government\xe2\x80\x99s\n                          ability to identify critical infrastructure.\n\n                          We recommend that the Under Secretary of the National Protection\n                          and Programs Directorate, in coordination with the Under\n                          Secretary for the Directorate of Science & Technology and the\n                          Administrator of FEMA:\n\n                          Recommendation #2: Pursue and document additional budgetary\n                          resources to support necessary infrastructure modeling and\n                          consequence analysis as outlined in sectors\xe2\x80\x99 annual reports.\n\n                          Recommendation #3: Identify and empower a single senior\n                          official to coordinate DHS modeling and consequence analysis to\n                          ensure efficient use of resources and proper sharing of plans and\n                          results with the Sector Specific Agencies.\n\n21\n   National Infrastructure Advisory Council, Critical Infrastructure Partnership Strategic Assessment,\nFinal Report and Recommendations, October 14, 2008, p. 39.\n\n\n\n                        Efforts to Identify Critical Infrastructure Assets and Systems\n\n                                                   Page 14\n\x0c                             Partners Provided Suggestions on Improvements to the\n                             Process\n\n                             Creation of the annual lists is a complex effort, and a difficult task\n                             for several states. Some DHS partners noted that time and resource\n                             constraints can adversely affect the process. The strength of state\n                             critical infrastructure programs varies across the nation, impeding\n                             some partners\xe2\x80\x99 ability to provide timely and comprehensive\n                             information.\n\n                             Some states and sector experts said that meeting the IP timelines is\n                             challenging. IP officials have recognized this problem, as already\n                             noted. We commend IP efforts to reduce partners\xe2\x80\x99 burdens. A\n                             process that takes places once every 2 years would be an additional\n                             efficiency, because states would not need to submit asset and\n                             system lists every year. According to an IP official, the lists\n                             generally do not change, and the official expects the list will be\n                             substantially similar year-to-year. An IP analyst noted that the\n                             additional time offered by a biennial, rather than annual, process\n                             would allow IP to vet the information more thoroughly. However,\n                             the Act states that the department must \xe2\x80\x9cmaintain and annually\n                             update\xe2\x80\x9d the lists.22 A biennial process is worthy of consideration,\n                             although a statutory modification would be necessary.\n\n                             Most states and sector experts said DHS has improved the list\n                             process, with comments like \xe2\x80\x9cthe process has matured\xe2\x80\x9d and is\n                             \xe2\x80\x9cgetting better.\xe2\x80\x9d Many state experts attributed improvements in\n                             the annual process to their Protective Security Advisors. PSAs\n                             serve as departmental liaisons to state, local, and tribal\n                             governments, as well as the private sector. Sectors commended IP\n                             and HITRAC staff for their willingness to work with experts\n                             outside of the department.\n\n                             Partners suggested, however, that more collaboration is possible.\n                             One area of possible improvement is the provision of additional\n                             information and feedback to both states and sectors. Many states\n                             and sector experts said a lot of effort goes into responding to data\n                             calls. However, partners do not receive sufficient comments on\n                             why some assets and systems are not included on the lists or how\n                             DHS makes final list decisions. The FY 2009 process attempted to\n                             address this concern through ongoing dialogue and weekly\n\n\n22\n     P.L. 110-53, \xc2\xa7 1001(c)(1).\n\n\n\n                           Efforts to Identify Critical Infrastructure Assets and Systems\n\n                                                      Page 15\n\x0c  newsletters with partners during the adjudication and\n  reconsideration phase.\n\n  Several states indicated that DHS could help protect locally critical\n  infrastructure and inform decisions by sharing its decisions on\n  those assets and systems on the final lists. States would be better\n  able to implement security measures if they know the assets and\n  systems on the two lists of the nation\xe2\x80\x99s more critical infrastructure.\n  Other state representatives saw no value in the data-intensive\n  collection efforts. A few states further noted that more information\n  has the potential to enhance their relationships with CIKR partners.\n  Development of state and territory lists should increase the value\n  of the annual process because partners can use the final lists for\n  incident and risk management.\n\n  One way DHS can ensure collaboration is in the development of\n  the criticality criteria. The Act requires DHS to provide the\n  program\xe2\x80\x99s \xe2\x80\x9cdata collection guidelines . . . to the appropriate\n  homeland security official of each State.\xe2\x80\x9d For the new\n  consequence-based process, state officials nominate assets based\n  on their own criteria development process. This allows states to\n  explain why particular assets are nominated as critical\n  infrastructure. IP still uses national criticality criteria for the\n  sectors to determine the assets or systems that will make the final\n  lists.\n\n  Historically, a limited number of states had an opportunity to\n  review and provide comments on the national criteria through the\n  State, Local, Tribal and Territorial Government Coordinating\n  Council. Officials from only 15 states and two tribal jurisdictions\n  were represented on this council. Some officials in the 15 states\n  were at the local level and cannot speak for the state as a whole.\n  Additionally, larger states like Illinois, Ohio, Pennsylvania, and\n  Texas are not represented.\n\n  The states and the SSAs rely on the private sector for information\n  on assets and systems that meet the criteria. With the exception of\n  a few regulated sectors, such as the Banking and Finance,\n  Chemical, and Nuclear sectors, the private sector voluntarily\n  provides information to the government. According to states and\n  sector experts, some private sector partners do not understand the\n  value of sharing information because the benefits of the annual list\n  process are not evident. The private sector views timely\n  information on specific CIKR threats as necessary, but the needed\n  communication does not always take place. Several private sector\n\n\nEfforts to Identify Critical Infrastructure Assets and Systems\n\n                           Page 16\n\x0c                          experts provide information to DHS, but they do not receive the\n                          final lists.\n\n                          Several factors hamper DHS\xe2\x80\x99 ability to share information with its\n                          CIKR partners. Although information submitted by states and\n                          sector experts is unclassified, the final lists are classified Secret.\n                          This presents an obstacle to stakeholders who do not have the\n                          necessary clearance. Threat information from intelligence\n                          agencies is also classified, which can be an impediment to\n                          information sharing. NIAC noted similar problems in a cyber\n                          security report. The intelligence on cyber threats to critical\n                          infrastructure control systems is not often shared with the owners\n                          of those systems. To address the obstacles faced by CIKR owners\n                          and operators, NIAC made several recommendations.23\n\n                          In a previous report, we noted the gap between stakeholder\n                          expectations and DHS capabilities and programs in the sharing of\n                          classified information.24 To provide value to partners, DHS should\n                          enhance its ability to share the final lists and strategic threat\n                          information concerning the nation\xe2\x80\x99s critical assets and systems\n                          with the private sector.\n\n                          We recommend that the Assistant Secretary for the Office of\n                          Infrastructure Protection:\n\n                          Recommendation #4: Ensure that all states are allowed to review\n                          the criticality criteria on an annual basis.\n\n                          Recommendation #5: Develop policies that would lead to greater\n                          sharing of final lists with partners and provide specific guidance to\n                          partners on sharing sensitive and classified information.\n\n                          Sectors Have Varying Levels of Concern About Cyber\n                          Infrastructure\n\n                          Electronic information and control systems are a central element of\n                          many infrastructure sectors. These cyber systems direct essential\n                          CIKR processes and functions. The NIPP defines cyber security as\n\n\n\n23\n   The National Infrastructure Advisory Council Convergence of Physical and Cyber Technologies and \n\nRelated Security Management Challenges Working Group, Final Report and Recommendations by the \n\nCouncil, pp. 25\xe2\x80\x9327.\n\n24\n   DHS OIG, Challenges Remain in Securing the Nation\xe2\x80\x99s Cyber Infrastructure, OIG-07-48, June 2007, p. 17. \n\n\n\n\n                        Efforts to Identify Critical Infrastructure Assets and Systems\n\n                                                   Page 17\n\x0c                                   The prevention of damage to, unauthorized use of, or\n                                   exploitation of, and if needed, the restoration of electronic\n                                   information and communications systems and the\n                                   information contained therein to assure confidentiality,\n                                   integrity, and availability.25\n\n                         The NIPP concluded that the U.S. economy and national security\n                         are highly dependent upon global cyber infrastructure, which has\n                         created an interconnected and interdependent global network. The\n                         NIPP noted that this level of interdependence created a linkage\n                         between physical and cyber elements of CIKR.\n\n                         National progress has been made in securing the cyber component\n                         of critical infrastructure operations. In a January 2007 report,\n                         NIAC identified a dedicated community of individuals and\n                         programs working to protect control systems for critical\n                         infrastructure sectors. These \xe2\x80\x9cstrong and committed governmental\n                         efforts\xe2\x80\x9d are highly valuable to several sectors.26 The National\n                         Cyber Security Division in NPPD is charged with reducing cyber\n                         risk across the sectors. One of the division\xe2\x80\x99s two strategic\n                         objectives is to implement a cyber risk management program for\n                         protection of critical infrastructure.\n\n                         NPPD has a wide range of cyber risk mitigation responsibilities,\n                         including national threat assessments, cross-sector analysis, and\n                         coordination of security programs. SSAs add expertise to ensure\n                         that security strategies and protective activities include fully\n                         integrated cyber perspectives. According to the NIPP, DHS\n                         databases and cataloging efforts should include appropriate\n                         information on sectors\xe2\x80\x99 cyber assets, systems, networks, and\n                         functions. Existing documents, such as cyber roadmaps for\n                         electrical and water utilities, help infrastructure operators\n                         understand the nature of the cyber threat.\n\n                         The NIPP notes that \xe2\x80\x9ccyber interdependence presents a unique\n                         challenge for all sectors.\xe2\x80\x9d27 Thus, like overall CIKR identification,\n                         cross-sector cyber work is inherently difficult. In our discussions\n                         with public and private experts across 15 sectors, most noted the\n                         importance of cyber security. However, many experts said that\n\n25\n   DHS, National Infrastructure Protection Plan, p. 109. \n\n26\n   National Infrastructure Advisory Council Convergence of Physical and Cyber Technologies and Related \n\nSecurity Management Challenges Working Group, Final Report and Recommendations by the Council, p. \n\n5.\n\n27\n    DHS, National Infrastructure Protection Plan, p. 35. \n\n\n\n\n                       Efforts to Identify Critical Infrastructure Assets and Systems \n\n\n                                                  Page 18 \n\n\x0c  more pressing concerns, such as attacks on buildings or the\n  possibility of biological contamination, are a higher priority. A\n  security manager for one non-DHS SSA said that the sector has no\n  cyber security concerns, while others believed that attacks on asset\n  control systems would not create nationally significant problems.\n  Some state experts suggested that staffing limitations or the need\n  for more expertise hinders their cyber asset identification.\n\n  These issues may explain why most sectors have a limited\n  emphasis on cyber criticality criteria. A criterion for the Freight\n  Rail subsector suggests that states submit cyber systems that would\n  create a loss of signaling apparatus and disrupt the monitoring of\n  rail cars in transit. A freight rail expert told us that cyber issues are\n  vital to the market viability of railroad companies. Cyber\n  disruption could have devastating economic consequences. In line\n  with the sector\xe2\x80\x99s criteria, some freight rail signaling stations were\n  submitted for the 2008 process.\n\n  Specific cyber identification criteria for each sector would likely\n  not improve cyber security overall. Many assets with cyber\n  components are already identified on the lists without itemizing\n  cyber systems or interdependencies. Sectors with greater concern\n  about cyber security did note positive work with HITRAC on\n  cyber assets, and some regulatory entities, such as the Nuclear\n  Regulatory Commission, help focus asset owners on enhancing\n  cyber security. As DHS expands its risk analysis and\n  understanding of cross-sector dependencies, the need for specific\n  cyber criteria for various sectors may appear.\n\n\n\n\nEfforts to Identify Critical Infrastructure Assets and Systems \n\n\n                           Page 19 \n\n\x0c                             Some \xe2\x80\x9cSystems-Based\xe2\x80\x9d Sectors Have Problems Identifying\n                             Critical Components\n\n                             Existing law defines critical infrastructure as \xe2\x80\x9csystems and assets\xe2\x80\x9d\n                             vital to the United States.28 Infrastructure sectors that include\n                             buildings and structures, such as chemical plants and nuclear\n                             reactors, are considered asset-based. These sectors rely on supply\n                             chains and inter-sector linkages but are centered on a single\n                             facility. Conversely, sectors that have intangible assets or that\n                             work across a range of facilities are systems-based. Systems-based\n                             sectors have had varying levels of success with the process to\n                             identify nationally critical infrastructure.\n\n                             DHS defines a system as:29\n\n\n                                \xe2\x80\x9cAny combination of facilities, equipment, personnel,\n                                procedures, and communications integrated for a specific\n                                purpose.\xe2\x80\x9d\n\n                             Individual assets in a systems-based sector, such as a bank or food-\n                             processing facility, are generally not seen as individually critical.\n                             Table 2 provides examples of both asset- and systems-based\n                             sectors.\n\n                               Table 2. Certain asset- and systems-based sectors\n\n                                      Asset-based sectors                    Systems-based sectors\n                                           Chemical                            Agriculture and Food\n                                      Commercial Facilities                   Banking and Finance\n                                             Dams                                Communications\n                                     Defense Industrial Base                          Energy\n                                            Nuclear                          Information Technology\n\n                             Experts suggested that other sectors, such as Emergency Services\n                             and Water, are also systems based. Others can be considered\n                             critical from both asset and systems perspectives. According to the\n                             Transportation Sector Specific Plan, for example, transit modes\n                             can be collectively evaluated as a system. Nonetheless, the sector\n                             has placed great emphasis on protecting certain assets, such as\n                             subway stations.\n\n\n\n28\n     42 U.S.C. \xc2\xa7 5195c(e). \n\n29\n     DHS, National Infrastructure Protection Plan, p. 111. \n\n\n\n\n                           Efforts to Identify Critical Infrastructure Assets and Systems \n\n\n                                                      Page 20 \n\n\x0c                         Identifying and protecting fixed assets is not as difficult as defining\n                         critical systems. Thus, DHS efforts to categorize critical\n                         infrastructure have focused on assets. Since our 2007 food defense\n                         report, DHS has made some progress in identifying systems,\n                         including the study of vulnerabilities in interdependent sectors.30\n                         Even sectors that have experienced frustration in this area have\n                         noted the department\xe2\x80\x99s commitment to find mutually agreeable\n                         solutions. However, systems identification problems are still\n                         evident, leading to frustration in certain sectors and the potential\n                         for some disruption of DHS infrastructure partnerships.\n\n                         Several of the officials we interviewed noted the difficulty in\n                         identifying systems for the lists, with one official declaring that\n                         DHS \xe2\x80\x9cignores history\xe2\x80\x9d by being more concerned with fixed sites\n                         than supply chains. PSAs also told us that more work in the\n                         systems area is needed. Of the 59 PSAs providing an opinion, only\n                         12 believed that the current effort to identify systems ranked as a 4\n                         or 5 on a five-point scale, while 26 PSAs rated the effort as poor or\n                         below average. PSAs commenting on the identification of systems\n                         noted:\n\n                             \xe2\x80\x9cI strongly believe we need to do a better job in the\n                          systems based sectors (especially the agriculture sector).\xe2\x80\x9d\n\n                                             \xe2\x80\x9cSystems based sectors are\n                                           [the] weakest part of the lists.\xe2\x80\x9d\n\n                            \xe2\x80\x9cA systems approach needs to be adopted . . . systems\n                              interdependencies may well become our national\n                             weakness, rather than any individual, or set of stand\xc2\xad\n                                                 alone sites.\xe2\x80\x9d\n\n                         During our fieldwork, we encountered a range of opinions\n                         regarding the success of integrating the systems concept into\n                         critical infrastructure protection and asset identification. The\n                         Emergency Services Sector noted the difficulty of establishing a\n                         systems view of its components. The Transportation Security\n                         Administration (TSA) was pleased that IP recognized the systems-\n                         based nature of important transit elements, such as rail systems.\n                         List submissions for large subways are based on one overall\n                         system, rather than individual stations. Neither TSA nor the states\n\n30\n  DHS OIG, The Department of Homeland Security\xe2\x80\x99s Role in Food Defense and Critical Infrastructure\nProtection, OIG-07-33, March 2007.\n\n\n\n                      Efforts to Identify Critical Infrastructure Assets and Systems\n\n                                                 Page 21\n\x0c  submit station stops for subway systems. Although individual\n  stations have been targeted in terrorist attacks, TSA experts noted\n  that any point of an overall rail system could be infiltrated, making\n  large transit systems, not stations themselves, nationally critical.\n  TSA appreciates the flexibility that has led to the submission of\n  individual rail systems for the lists. Our 2006 report on the NADB\n  identified inconsistencies in state transit rail data submissions. For\n  example, some states provided the name of one rail system, while\n  others submitted lists of all stations. Cooperation between TSA\n  and IP has ended this problem, ensuring more consistency across\n  the nation\xe2\x80\x99s transit rail systems and other components of the\n  Transportation Sector.\n\n  Of the sectors that continue to struggle with systems identification,\n  the most difficult case has been the Agriculture and Food Sector.\n  Our March 2007 food defense report documented the sector\xe2\x80\x99s\n  concern regarding the identification of systems. The experts we\n  interviewed for this report said that the annual process continues to\n  leave the sector with a much smaller number of assets than other\n  sectors. These conclusions were noted in the sector\xe2\x80\x99s July 2007\n  annual report. The department\xe2\x80\x99s 2008 list guidance for the sector\n  still advised state agencies to identify only assets that, if damaged,\n  destroyed, or compromised, could create the highest consequences\n  on a regional or national scale. This guidance minimized systems\n  identification.\n\n  There is some merit to the department\xe2\x80\x99s approach. Although one\n  cow with hoof-and-mouth disease could create nationally\n  significant problems, one animal cannot be seen as nationally\n  critical. DHS prefers that states identify specific parts of diverse\n  interstate food production systems and other sector subcomponents\n  that meet the criticality criteria. HITRAC and sector experts share\n  the view that identifying critical portions of the Agriculture and\n  Food Sector is a major challenge. Experts we interviewed from the\n  sector noted that DHS is interested in exploring solutions to this\n  difficult problem. The critical clusters approach in the 2009\n  process can be seen as one way to expand systems identification.\n\n  Since our 2007 food defense report, the National Center for Food\n  Protection and Defense created a new identification method. The\n  Food and Agriculture Sector Criticality Assessment Tool\n  (FASCAT) was developed in consultation with sector experts and\n  has the support of DHS and the sector\xe2\x80\x99s two SSAs. IP officials\n  have noted that states using FASCAT may leverage information\n  gathered through that effort. Nonetheless, the SSAs believe the\n\n\nEfforts to Identify Critical Infrastructure Assets and Systems\n\n                           Page 22\n\x0c  2008 list process was difficult, which created \xe2\x80\x9ca mixed bag\xe2\x80\x9d of\n  state submissions.\n\n  After receiving more than 1,600 Agriculture and Food Sector\n  submissions from 34 states and territories, DHS asked the SSAs to\n  reduce the list. Even after the list decreased significantly, DHS did\n  not accept the submissions for the nationally critical lists. SSA\n  staff said that DHS was concerned about consistency across states\n  and the level of assets submitted that did not meet the sector\xe2\x80\x99s\n  general criteria.\n\n  Some states and territories submitted hundreds of items, while 22\n  states and territories did not provide any Agriculture and Food\n  Sector assets or systems. The SSAs have legitimate concerns that\n  the result of the 2009 process will hamper state interest in\n  providing food and agriculture assets and systems, if not severely\n  harm the sector\xe2\x80\x99s partnership model. No portion of the sector\xe2\x80\x99s\n  production and processing system, a highly significant part of the\n  U.S. economy and a net exporter, appears on a list of nationally\n  significant critical infrastructure. This is especially difficult to\n  understand when the sector\xe2\x80\x99s regulatory bodies hold such extensive\n  data about the sector.\n\n  We acknowledge that systems identification is complicated.\n  However, DHS should work with the SSAs and the sector\xe2\x80\x99s\n  coordinating councils to create general criteria based on state\n  production capacity and the value of food produced. The current\n  criteria focus on public health or economic loss from intentional or\n  natural disruptions, criteria that are difficult for states to predict.\n  Although state production criteria would lack vigorous\n  consequence and vulnerability components, the criteria could be\n  enhanced through modeling efforts and further refinement.\n  Moreover, SSA submission of data would end the problem of\n  inconsistency across states and reduce the states\xe2\x80\x99 burden. For\n  example, SSAs can easily determine which states produce the most\n  milk, beef, and other popular commodities. Using the lists to\n  catalog the sector\xe2\x80\x99s most productive subcomponents is necessary\n  for the Agriculture and Food Sector to be suitably represented\n  compared to other sectors.\n\n  We recommend that the Assistant Secretary for the Office of\n  Infrastructure Protection:\n\n  Recommendation #6: Create criticality criteria based on existing\n  state production and capacity data, which would lead the Sector\n\n\nEfforts to Identify Critical Infrastructure Assets and Systems\n\n                           Page 23\n\x0c  Specific Agencies, rather than the states, to submit data for the\n  lists.\n\n  Protective Security Advisors Displayed Some Confusion About\n  Their Role\n\n  The annual list process has helped DHS and its partners to improve\n  critical infrastructure protection through the identification of\n  nationally critical assets. We initiated a survey of PSAs, DHS\n  employees in the field who work with states and sectors. These\n  experienced professionals are an important part of CIKR\n  protection. Many PSAs believe that DHS has taken positive\n  actions to protect CIKR. Nonetheless, some PSAs expressed a\n  degree of negativity about IP\xe2\x80\x99s CIKR protective efforts. Based on\n  PSA comments, we did not conclude that the lists are seriously\n  flawed, but the comments justify further DHS focus on the role of\n  the PSAs in working with partners to develop the lists.\n\n  Some PSAs noted that industry experts have created CIKR asset\n  lists. According to some PSAs, these lists had key differences\n  from the lists of nationally critical infrastructure. Several PSAs\n  wrote that the criteria, although improving each year, need further\n  refinement. One PSA suggested that IP should ensure that PSAs\n  do more to coordinate with states on establishing submission\n  parameters, while another suggested mandated coordination\n  between PSAs and the public and private sector partners that\n  submit data.\n\n  Most of the PSAs who answered the question, 53 of 61 (87%),\n  advocated for some private sector involvement in the list process.\n  Such an enhancement could improve the accuracy of list\n  submissions.\n\n  Only a small majority, 33 of 61 (54%), believed that PSAs should\n  be more involved in the process. Yet, PSAs were generally\n  displeased with their ability to influence CIKR policies and\n  practices. PSAs commented that more work is needed to improve\n  states\xe2\x80\x99 submissions and facilitate greater interaction with SSAs.\n  Several noted the difficulty of explaining DHS decisions to the\n  states, especially when assets submitted by states are not on the\n  final lists.\n\n  Although IP has shown continued interest in revising the process\n  used to identify nationally critical infrastructure, further work to\n  refine the PSA role is warranted. Specific steps in this area should\n\n\nEfforts to Identify Critical Infrastructure Assets and Systems\n\n                           Page 24\n\x0c                             focus on ensuring that PSAs participate in state list submissions, as\n                             well as on further coordination between PSAs and SSAs. All of\n                             the state officials we interviewed praised the work of individual\n                             PSAs and considered them an invaluable resource. Additional\n                             work in this area would improve asset identification and the ability\n                             of DHS to work with security partners.\n\n                             We recommend that the Assistant Secretary for the Office of\n                             Infrastructure Protection:\n\n                             Recommendation #7: Expand the role of Protective Security\n                             Advisors in the annual list process to enable them to provide\n                             information and comments on state data submissions.\n\n           The Lists are Used in Grant Formulas, but Not by DHS Law\n           Enforcement\n\n                             The Lists Are Used in the Allocation of Grant Funding\n\n                             The nation must prioritize its grant funding and protective efforts\n                             to target areas most in need. Data gained through the two lists of\n                             nationally critical infrastructure are provided to FEMA for use in\n                             two parts of the Homeland Security Grant Program: The State\n                             Homeland Security Program (SHSP) and the Urban Areas Security\n                             Initiative (UASI). In FY 2008, all 50 states, the District of\n                             Columbia, and five territories were eligible for $861,280,000 in\n                             SHSP funding. Also in FY 2008, $781,630,000 was available\n                             under the UASI for the nation\xe2\x80\x99s 60 most at risk urban areas. The\n                             new sector and state lists of critical infrastructure are not used for\n                             purposes of grant funding.\n\n                             The SHSP and UASI funding formula is based on the department\xe2\x80\x99s\n                             definition of risk, which includes three elements: threat,\n                             vulnerability, and consequence.31 Intelligence analysis is used to\n                             create the threat component of the formula, which accounts for\n                             20% of the allocations for the two programs. The vulnerability and\n                             consequence portions account for the remaining 80%.\n\n                             Four indices compose the formula\xe2\x80\x99s vulnerability and consequence\n                             elements, or 80% of the overall allocations. A Population Index\n                             accounts for 40% of vulnerability and consequence, while an\n                             Economic Index accounts for 20%. The National Infrastructure\n\n31\n     DHS, National Infrastructure Protection Plan, p. 32.\n\n\n\n                          Efforts to Identify Critical Infrastructure Assets and Systems\n\n                                                     Page 25\n\x0c                        Index (NII) and the National Security Index (NSI) account for the\n                        remaining 20% of the formula\xe2\x80\x99s vulnerability and consequence\n                        portion. FEMA uses list statistics to create the NII and the NSI.\n                        The NII, which uses a jurisdiction\xe2\x80\x99s number of nationally critical\n                        assets, is 15% of the vulnerability and consequence total. The NSI,\n                        which includes the number of nationally critical assets in the\n                        Defense Industrial Base (DIB) Sector as one component, is 5%.32\n                        Figure 1 illustrates the placement of list data in the risk formula.\n\n                        Figure 1. Nationally Critical Asset Information and the SHSP and UASI\n                        formula\n\n\n\n\n                        States are required to send 80% of total SHSP and UASI funding\n                        to local governments. Guidance for the 2009 grant programs\n                        included six Homeland Security Grant Program national priorities\n                        that were to inform state applications:\n\n                            \xe2\x80\xa2\t Progress in meeting the National Preparedness Guidelines\n                            \xe2\x80\xa2\t Protecting against improvised explosive devices\n                            \xe2\x80\xa2\t Strengthening preparedness planning, training, and\n                               exercises\n                            \xe2\x80\xa2\t Emphasizing information-sharing capabilities\n                            \xe2\x80\xa2\t Strengthening medical readiness\n                            \xe2\x80\xa2\t Strengthening preventive radiological/nuclear detection\n                               capabilities\n\n                        Although these guidelines relate to critical infrastructure protection,\n                        the SHSP is designed to help develop state and local preparedness\n32\n GAO, Homeland Security: DHS Risk-Based Grant Methodology Is Reasonable, But Current Version\xe2\x80\x99s\nMeasure of Vulnerability is Limited, GAO-08-852, June 2008.\n\n\n\n                     Efforts to Identify Critical Infrastructure Assets and Systems\n\n                                                Page 26\n\x0c                           and response capabilities. UASI funds focus on regional protection\n                           of the nation\xe2\x80\x99s larger urban areas. A focus on improvised explosive\n                           devices came from Homeland Security Presidential Directive 19,\n                           \xe2\x80\x9cCombating Terrorist Use of Explosives in the United States.\xe2\x80\x9d\n\n                           Grants Using Nationally Critical Asset Data Do Not Require\n                           Direct Expenditures to Protect Those Assets\n\n                           SHSP and UASI are designed to improve state and territorial\n                           capacity to protect the nation and respond to major events. The\n                           NIPP establishes that SHSP and UASI funding should address:\n\n                                    \xe2\x80\x9cregionally or locally critical priority CIKR initiatives. A\n                                    further prioritized combination of grant funding across\n                                    various programs may be necessary to enable the\n                                    protection of certain assets, systems, networks, and\n                                    functions deemed to be nationally critical.\xe2\x80\x9d33\n\n                           This language does not preclude the use of SHSP and UASI\n                           funding to protect nationally critical infrastructure. Sending\n                           funding to states based on the existence of nationally significant\n                           CIKR does not mean that states will use that funding to protect or\n                           aid response and recovery efforts for those assets. However,\n                           current law establishes that states may use allocations from the two\n                           programs for various purposes, including protecting a nationally\n                           critical system or asset.34 Although national criticality need not\n                           influence all state allocation decisions, federal funds are being used\n                           to augment state goals. Funding that is partially based on two lists\n                           of nationally critical infrastructure allows state and local officials\n                           to make provincial decisions about how to allocate funds. The\n                           number of nationally critical assets in a jurisdiction may or may\n                           not be a good proxy for the amount of money needed for regionally\n                           or locally critical priority CIKR initiatives. Although risk\n                           management theory suggests that funds should \xe2\x80\x9cbuy down\xe2\x80\x9d risk,\n                           experts do not know how UASI and SHSP grant allocations are\n                           decreasing overall risk or improving the protected status of\n                           nationally critical infrastructure.35\n\n                           The FEMA officials we interviewed said that states must provide\n                           investment justifications for allocated funding. Additionally, a\n                           peer review of state submissions is designed to ensure that state\n\n33\n   DHS, National Infrastructure Protection Plan, p. 102. \n\n34\n   6 U.S.C. \xc2\xa7 609(a)(3). \n\n35\n   RAND, \xe2\x80\x9cEstimating Terrorism Risk,\xe2\x80\x9d 2005. \n\n\n\n\n                        Efforts to Identify Critical Infrastructure Assets and Systems\n\n                                                   Page 27\n\x0c                            funding corresponds with national or state goals. FEMA is\n                            developing a cost-to-capabilities initiative to measure how grant\n                            funding leads to security improvements. This information will be\n                            used to target programs, fill security gaps, and connect funding to\n                            DHS policy. These efforts have merit. However, existing rules\n                            allow the spending of national SHSP and UASI funds based on\n                            state interests. Although DHS guidelines help in funding\n                            decisions, states may have a different view of risk than the\n                            department.\n\n                            Security improvements to critical assets are part of certain other\n                            grant programs. For FY 2008, DHS provided states $48,575,000\n                            in Buffer Zone funding for list assets.36 The equipment needed for\n                            protection and resiliency is vetted against an authorized equipment\n                            list, to ensure the grant money is used appropriately to mitigate\n                            security gaps identified in the Buffer Zone Plans. After the vetting\n                            process, DHS releases the funds. Additionally, a focus on\n                            improvised explosive device prevention clearly has protective\n                            value for critical infrastructure sites. However, guidance from\n                            FEMA stated that grant allocations to protect against these devices\n                            \xe2\x80\x9cshould be undertaken in coordination with the statewide CIKR\n                            protection program,\xe2\x80\x9d which could target assets that are not\n                            nationally critical.\n\n                            Under Homeland Security Presidential Directive 8, preparedness\n                            grants are not designed \xe2\x80\x9cto support existing capacity to address\n                            normal local first responder operations, but to build capacity to\n                            address major events, especially terrorism.\xe2\x80\x9d37 Some state officials\n                            noted that some jurisdictions were using funding for ongoing local\n                            concerns. Direct correlation between UASI and SHSP funding and\n                            nationally significant assets and systems would ensure greater\n                            linkage between grant funding and national goals.\n\n                            Although the number of assets placed on the lists affects a state\xe2\x80\x99s\n                            grant funding, data are not readily available to show how states use\n                            UASI and SHSP funding to protect CIKR sites. The need for such\n                            spending data has created frustration in SSAs that have\n                            infrastructure protection programs. Agency experts informed us\n                            that inefficiencies and duplication of agencies\xe2\x80\x99 efforts are\n                            occurring.\n\n\n\n36\n     DHS, Overview: FY 2008 Infrastructure Protection Activities, May 2008, pp. 5, 20\xe2\x80\x9321.\n37\n     Homeland Security Presidential Directive 8, December 13, 2003, paragraph 11.\n\n\n\n                          Efforts to Identify Critical Infrastructure Assets and Systems \n\n\n                                                     Page 28 \n\n\x0c                        Officials from the Nuclear and Water Sectors expressed the most\n                        irritation about the need for data on grant funding decisions.\n                        Environmental Protection Agency experts considered it\n                        embarrassing that federal partners may be allocating security\n                        funding to the same projects. Security staff at the Nuclear\n                        Regulatory Commission said that sectors cannot see \xe2\x80\x9ca connection\n                        to a purchase\xe2\x80\x9d after states allocate DHS grant dollars. This\n                        hampers the government\xe2\x80\x99s ability to learn how security gaps are\n                        being lessened through allocation of federal funds. The Nuclear\n                        Regulatory Commission noted that because states spend SHSP and\n                        UASI funds, the federal government would not have data to share\n                        with the SSAs regarding spending decisions. Although DHS has\n                        conducted some information sharing in this area, concern about a\n                        need for dialog was not limited to federal agencies. Some state\n                        interviewees lamented the incomplete dialog with SSAs on grant\n                        funding issues.\n\n                        Without better data on SHSP and UASI funding, a complete\n                        assessment of risk reduction will be elusive. An expert risk\n                        management forum noted that the government must \xe2\x80\x9cbe able to\n                        estimate the level of deterrence resulting from the countermeasures\n                        implemented.\xe2\x80\x9d38 Constraints on this front led sector experts to\n                        complain that even though asset data affects grant funding, \xe2\x80\x9cwhiz\xc2\xad\n                        bang\xe2\x80\x9d devices purchased throughout the country have limited\n                        utility in national risk reduction. Another expert opined that grant\n                        funding efforts cannot be deemed a success simply by counting the\n                        number of new fire trucks.\n\n                        Response and recovery are logical places for SHSP and UASI\n                        allocations. A new objective to link funds to assets and systems on\n                        the lists would better protect the nation\xe2\x80\x99s most critical infrastructure.\n                        FEMA should work with NPPD to develop a grant objective that\n                        establishes a link between grant funds and list entries. To address\n                        the concern about incomplete grant information sharing, FEMA\n                        could collect data from the states on funds that were spent on\n                        particular sectors, and share the data with the SSAs. Improved\n                        interaction between SSAs and states would decrease the potential\n                        duplication of effort and provide information on what sectors are\n                        receiving funding. With knowledge about how sectors are using\n                        UASI and SHSP funding, DHS would be better able to target\n                        protective efforts on nationally critical infrastructure.\n\n\n38\n  GAO, Highlights of a GAO Forum: Strengthening the Use of Risk Management Principles in Homeland\nSecurity, GAO-08-627SP, April 2008, p. 13.\n\n\n\n                      Efforts to Identify Critical Infrastructure Assets and Systems \n\n\n                                                 Page 29 \n\n\x0c  We recommend that the Administrator of FEMA, in coordination\n  with the Assistant Secretary for the Office of Infrastructure\n  Protection:\n\n  Recommendation #8: Create an objective in annual grant\n  guidance that links a portion of State Homeland Security Program\n  and Urban Area Security Initiative funding to the protection of\n  nationally critical assets and systems.\n\n  Recommendation #9: Collect and disseminate grant expenditure\n  data that inform Sector Specific Agencies about the amount of\n  funds that states spend on particular sectors\xe2\x80\x99 assets and systems.\n\n  The Lists are Not Meant to Assist Law Enforcement Efforts\n\n  DHS agencies are charged with enforcing a variety of U.S. laws.\n  Immigration and Customs Enforcement (ICE) conducts operations\n  against employers who hire undocumented workers. In FY 2008,\n  ICE made 6,287 criminal and administrative arrests as a result of\n  worksite enforcement operations. ICE intends to target critical\n  infrastructure sites that may employ individuals who are not\n  authorized to work in the United States. Although ICE lists\n  airports, nuclear power plants, and chemical facilities as examples\n  of critical infrastructure, ICE and IP do not have sufficient ongoing\n  contact to help both entities achieve mutual CIKR protection goals.\n\n  An ICE manager who deals with worksite enforcement\n  investigations noted that ICE would like to target investigative\n  resources on facilities deemed most vital, but ICE does not have\n  access to current lists. ICE management noted that the agency\n  does not interact with IP on specific CIKR sites or general areas of\n  shared interest.\n\n  HITRAC officials noted that the list process is not focused on\n  aiding law enforcement. They believe that use of the lists for law\n  enforcement purposes, especially actions as sensitive as\n  immigration worksite operations, would seriously hinder the\n  overall partnership model. HITRAC believes that some states and\n  the private sector would be reluctant to participate in the process if\n  it were used for immigration enforcement operations. Very clear\n  rules would be required to denote the limits of information sharing\n  if DHS agencies were to use the lists for investigative or other\n  purposes. Nonetheless, HITRAC officials are not opposed to\n  collaborating with ICE on matters of critical infrastructure\n\n\n\nEfforts to Identify Critical Infrastructure Assets and Systems \n\n\n                           Page 30 \n\n\x0c                               protection. We believe that such collaboration would be beneficial\n                               to both HITRAC and ICE.\n\n                               IP has concerns about the use of the nationally critical lists for\n                               DHS law enforcement work. Nonetheless, an enhanced\n                               partnership offers ICE and IP the ability to augment DHS critical\n                               infrastructure protection objectives. Although we are not\n                               recommending that the lists be shared with DHS law enforcement\n                               agencies, an expanded dialog could offer mutual benefits for IP\n                               and ICE.\n\n                               We recommend that the Assistant Secretary for the Office of\n                               Infrastructure Protection:\n\n                               Recommendation #10: Confer with Immigration and Customs\n                               Enforcement on the mutual goal of protecting critical infrastructure\n                               and report to the Office of Inspector General on methods and\n                               remaining obstacles to intra-departmental coordination and\n                               information sharing on critical infrastructure protection.\n\n           Status of DHS Reporting Requirements and Discretionary\n           Consortium\n                    The Act requires that DHS submit a report on efforts to identify and\n                    catalog critical infrastructure.39 In its report, IP explained that the IDW\n                    will house the nation\xe2\x80\x99s infrastructure data. As required by the Act, IP also\n                    provided a synopsis of significant challenges associated with the database\n                    and the annual process to identify nationally critical infrastructure.\n\n                    The Act included discretionary language allowing DHS to establish a\n                    National Infrastructure Protection Consortium to advise \xe2\x80\x9con the best way\n                    to identify, generate, organize, and maintain any database or list of\n                    systems and assets.\xe2\x80\x9d40 In addition to government experts, this group could\n                    include national laboratories, academic institutions, or Centers of\n                    Excellence, which are groups of experts that work with the department to\n                    address various homeland security issues. A few sector experts expressed\n                    interest in an additional entity to identify critical infrastructure asset and\n                    systems. However, most believed that the current NIPP sector partnership\n                    model would be more suitable to handle critical infrastructure asset and\n                    system identification activities.\n\n\n\n39\n     P.L. 110-53, \xc2\xa7 1001(d).\n40\n     P.L. 110-53, \xc2\xa7 1001(f).\n\n\n\n                          Efforts to Identify Critical Infrastructure Assets and Systems\n\n                                                     Page 31\n\x0c     Partners said that the existing model has made progress in building\n     relationships and trust between the government and the private sector.\n     One PSA said that the \xe2\x80\x9crelationships and processes are in place and\n     becoming more effective each year.\xe2\x80\x9d Other sector partners argued that an\n     additional commission would be redundant. PSAs were divided on\n     establishing the Consortium, 31 suggested its adoption while 30 were\n     opposed.\n\nMajor Changes to the Sector Partnership Model Are Not Needed\n     Experts who had concerns about some DHS policies and actions have\n     noted ongoing improvement in their work with the department. DHS\n     continues to search for ways to improve the partnership model. Further\n     improvements can be made, but we are pleased that infrastructure sectors\n     have seen a growing DHS commitment. Major changes to the sector\n     partnership model are not necessary. Revisions to the model must respect\n     the advancements DHS has made. Through our continuing examination of\n     DHS work with other sectors, departmental acquisition practices, and\n     related areas, we will continue to evaluate efforts to identify and protect\n     critical infrastructure, a vital component of the DHS mission.\n\nManagement Comments and OIG Analysis\n     DHS consolidated responses from NPPD, FEMA, and ICE to provide\n     written comments on our draft report. We evaluated the comments and\n     have made changes where we deemed appropriate. DHS concurred with 8\n     of 10 recommendations. Below is a summary of the consolidated\n     comments and our analysis. The department\xe2\x80\x99s response is included as\n     Appendix B.\n\n     Recommendation #1: Complete the acquisition process for the\n     Infrastructure Information Collection System.\n\n     Management Comments to Recommendation #1\n\n     The department concurred with our recommendation. IP will continue to\n     work with the Under Secretary for Management to acquire the\n     Infrastructure Information Collection System. The system is viewed as an\n     improved approach to collecting and maintaining reliable information on\n     the nation\xe2\x80\x99s infrastructure.\n\n\n\n\n          Efforts to Identify Critical Infrastructure Assets and Systems\n\n                                     Page 32\n\x0cOIG Analysis\n\nWe consider the department\xe2\x80\x99s reply responsive to the recommendation.\nWe will require updates on the IICS acquisition efforts. This information\nshould include challenges faced in completing the acquisition. The\nrecommendation is resolved and open.\n\nRecommendation #2: Pursue and document additional budgetary\nresources to support necessary infrastructure modeling and consequence\nanalysis as outlined in sectors\xe2\x80\x99 annual reports.\n\nManagement Comments to Recommendation #2\n\nThe department concurred with our recommendation. Current funding\nlevels allow DHS only to support HITRAC requests and the maintenance\nof existing NISAC capabilities, although DHS sees the need for expanded\ncapabilities to fully serve the NIPP partnership model. A necessary first\nstep before pursuing additional resources will be to identify the universe\nof consequence analysis needs across DHS.\n\nOIG Analysis\n\nWe consider the department\xe2\x80\x99s reply responsive to the recommendation.\nThe single DHS contact assigned under Recommendation #3 should\nensure coordination of the effort to acquire additional consequence\nanalysis resources across various agencies. Expansion of the department\xe2\x80\x99s\ncapabilities in this area is central to improving analysis of\ninterdependencies across the 18 critical infrastructure sectors. We will\nrequire updates on the department\xe2\x80\x99s efforts to identify its scope of\ncapability in infrastructure modeling and consequence analysis and the\nresulting actions to document resources dedicated to such efforts. This\nrecommendation remains resolved and open.\n\nRecommendation #3: Identify and empower a single senior official to\ncoordinate DHS modeling and consequence analysis to ensure efficient\nuse of resources and proper sharing of plans and results with the Sector\nSpecific Agencies.\n\nManagement Comments to Recommendation #3\n\nDHS concurred with our recommendation. The response focused on a\nneed for coordination between a range of components. This would ensure\nthat a department-wide perspective, not just that of any one component,\nwill drive national modeling and consequence analysis. An Executive\nSteering Committee, composed of various DHS stakeholders, would\n\n\n     Efforts to Identify Critical Infrastructure Assets and Systems\n\n                                Page 33\n\x0censure the necessary coordination. Such an entity would capture the\nperspective of various DHS stakeholders.\n\nOIG Analysis\n\nWe consider the department\xe2\x80\x99s reply responsive to the recommendation.\nDHS has commendable plans in this area. Input of various DHS\ncomponents will be necessary to bring maximum efficiency to this\nimportant effort. When fully coordinated, modeling and consequence\nanalysis will improve DHS efforts to identify each sector\xe2\x80\x99s most critical\ninfrastructure. The Executive Steering Committee should bring an\nimportant inter-component view to this effort. We will require updates on\nthe department\xe2\x80\x99s plans as outlined in its response. This recommendation\nremains resolved and open.\n\nRecommendation #4: Ensure that all states are allowed to review the\ncriticality criteria on an annual basis.\n\nManagement Comments to Recommendation #4\n\nThe department concurred, noting that the FY 2009 process addresses our\nrecommendation. Revisions to the process for FY 2009 granted states an\nopportunity to comment on the existing consequence-based criteria. Also,\nstates and territories are able to develop unique criticality criteria for lists\nof critical infrastructure in their jurisdictions.\n\nOIG Analysis\n\nIP actions for the FY 2009 process are responsive to the recommendation.\nBecause the intent of state involvement in annual criteria found in the\nImplementing Recommendations of the 9/11 Commission Act of 2007 has\nbeen addressed, we consider this recommendation resolved and closed.\nNo further action is required.\n\nRecommendation #5: Develop policies that would lead to greater sharing\nof final lists with partners and provide specific guidance to partners on\nsharing sensitive and classified information.\n\nManagement Comments to Recommendation #5\n\nThe department concurred with our recommendation.\n\n\n\n\n     Efforts to Identify Critical Infrastructure Assets and Systems\n\n                                Page 34\n\x0cOIG Analysis\n\nWhile the department has concurred, there was no indication in its\nresponse on what actions will be taken to address this recommendation.\nWe understand that PSAs and other DHS staff continue to work with\nstates on sharing sensitive information. This recommendation will remain\nresolved and open until the department provides further information on\nhow it will address greater sharing of lists.\n\nRecommendation #6: Create criticality criteria based on existing state\nproduction and capacity data, which would lead the Sector Specific\nAgencies, rather than the states, to submit data for the lists.\n\nManagement Comments to Recommendation #6\n\nThe department did not concur with this recommendation. Use of federal\nagencies\xe2\x80\x99 capacity data is seen as a step back from the consequence-based\nfocus that is now used to identify the critical assets and systems.\nFASCAT, adopted through a collaborative process with the sector, will\ncontinue to guide identification efforts. DHS argued that states are the\nbest entities to identify the sector\xe2\x80\x99s most critical assets and systems.\n\nOIG Analysis\n\nThe department\xe2\x80\x99s response is true to the intent of our recommendation,\nwhich was based on a concern about the Food and Agriculture Sector\xe2\x80\x99s\ninability to be represented in the annual list process. Use of capacity data\nwas one way to rectify this problem. Although FASCAT has support from\nsector experts, the 2008 process did not satisfy the sector\xe2\x80\x99s two SSAs.\nNonetheless, IP\xe2\x80\x99s focus on continually improving the systems\nidentification effort is a positive sign. If fully developed to its potential,\nFASCAT can lead to greater sector representation on the lists. Thus, we\nconsider this recommendation resolved and open, pending data and further\nupdates on progress made to integrate the sector\xe2\x80\x99s most critical systems\ninto the process.\n\nRecommendation #7: Expand the role of Protective Security Advisors in\nthe annual list process to enable them to provide information and\ncomments on state data submissions.\n\nManagement Comments to Recommendation #7\n\nDHS concurred with our recommendation to expand the PSA role in the\nprocess.\n\n\n\n     Efforts to Identify Critical Infrastructure Assets and Systems\n\n                                Page 35\n\x0cOIG Analysis\n\nThe department concurred with our recommendation, but no additional\ndetail was provided beyond noting that PSA involvement was expanded in\nFY 2009. HITRAC FY 2009 guidance notes a role for PSAs in\nnominating submissions for the Emergency Services Sector. However,\nthere is no indication of further PSA roles in the guidance. Additional\ninformation is needed on how the PSA role has been expanded. This\nrecommendation is resolved and open.\n\nRecommendation #8: Create an objective in annual grant guidance that\nlinks a portion of State Homeland Security Program and Urban Area\nSecurity Initiative funding to the protection of nationally critical assets and\nsystems.\n\nManagement Comments to Recommendation #8\n\nThe department did not concur with our recommendation. DHS argued\nthat the Buffer Zone Protection Program fulfills the linkage our\nrecommendation envisions. In its response, the department noted that\nBZPP provides $50 million annually to local law enforcement and public\nsafety agencies to address CIKR security gaps for nationally critical\nassets.\n\nOIG Analysis\n\nWe reaffirm our recommendation. While BZPP grants are designed to\nincrease the protection of nationally critical assets and systems, the\nfunding available for this program has been significantly less than funds\ndisbursed for SHSP and UASI grants. In FY 2008 alone, DHS provided\nover $861 million SHSP and $781 million UASI funds to states.\n\nFEMA\xe2\x80\x99s strategic plan indicates that grants are important resources to\ninfluence actions and develop integrated and comprehensive capabilities\nthat will achieve national objectives. The agency specifically notes that it\nwill promote the protection of critical infrastructure to avoid major\ndisruption to commerce or significant loss of life. FEMA will also work\nto ensure that \xe2\x80\x9ccapabilities for all hazards are strengthened and based\nsoundly on a joint analysis of risk . . .\xe2\x80\x9d Focusing funding on nationally\ncritical assets and systems, rather than infrastructure deemed important\njust at the state level, most obviously fits into FEMA\xe2\x80\x99s critical\ninfrastructure protection goals. Because the process identifies the most\nnationally critical infrastructure, grant programs receiving funds partially\nbased on list entries should include an objective to protect these assets.\n\n\n\n     Efforts to Identify Critical Infrastructure Assets and Systems\n\n                                Page 36\n\x0cProtection of assets identified on the lists is the best way to maximize\ninvestments.\n\nRecognizing that not all assets and systems are equally important across\nthe 18 sectors, DHS expends a great deal of effort annually to identify\nnationally critical assets. DHS grants are an important tool used to focus\nfederal resources on the nation\xe2\x80\x99s highest CIKR priorities. Since a portion\nof SHSP and UASI grants is calculated using list data, a portion of the\nfunds should be directly linked to the protection of nationally critical\nassets and systems. Some funds may still be used for states to protect\nassets and systems that are critical only on the local level. Our\nrecommendation seeks to establish the linkage between a portion of SHSP\nand UASI funding to protection of nationally critical assets and systems\nthrough an objective in grant guidelines. Other approaches could meet the\nintent of our recommendation, such as channeling the portions of SHSP\nand UASI funds directly tied to the lists to grant programs like the BZPP.\nThis recommendation remains unresolved and open.\n\nRecommendation #9: Collect and disseminate grant expenditure data\nthat inform Sector Specific Agencies about the amount of funds that states\nspend on particular sectors\xe2\x80\x99 assets and systems.\n\nManagement Comments to Recommendation #9\n\nThe department concurred with our recommendation. Through\nconsultations with IP, FEMA will determine how grant reporting systems\ncan be used to inform SSAs on how funding has been used at the state and\nlocal level.\n\nOIG Analysis\n\nWe consider the department\xe2\x80\x99s reply responsive to the recommendation.\nOnce data is gathered DHS will be able to determine the level of state\nfunding tied directly to national goals, which is in line with FEMA\xe2\x80\x99s\nstrategic plan. This will also help DHS work with SSAs to avoid duplicate\nsecurity spending. We will require updates regarding the results of the\nFEMA-IP discussions on reporting states\xe2\x80\x99 grant expenditures to the Sector\nSpecific Agencies. This recommendation is resolved and open.\n\nRecommendation #10: Confer with Immigration and Customs\nEnforcement on the mutual goal of protecting critical infrastructure and\nreport to the Office of Inspector General on methods and remaining\nobstacles to intra-departmental coordination and information sharing on\ncritical infrastructure protection.\n\n\n\n     Efforts to Identify Critical Infrastructure Assets and Systems\n\n                                Page 37\n\x0cManagement Comments to Recommendation #10\n\nThe department concurred with our recommendation. Outside of the\nformal comment process, some concern still exists regarding the potential\nimpact of sharing list entries with law enforcement.\n\nOIG Analysis\n\nWe consider the department\xe2\x80\x99s reply responsive to the recommendation.\nAs stated in our report, the recommendation was based on the need for\ngreater consultation between IP and ICE. This interaction does not require\nthat IP share the lists with ICE or other law enforcement entities. We will\nrequire reports on the results of NPPD discussions with ICE regarding\nmethods and remaining obstacles to intra-departmental coordination and\ninformation sharing on critical infrastructure protection. This\nrecommendation is resolved and open.\n\n\n\n\n     Efforts to Identify Critical Infrastructure Assets and Systems \n\n\n                                Page 38 \n\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n                   Section 1001 of the Implementing Recommendations of the 9/11\n                   Commission Act of 2007 (P.L. 110-53) required our office to\n                   review how DHS identifies and catalogs the nation\xe2\x80\x99s critical\n                   infrastructure. We examined a wide range of general information\n                   about each of the critical infrastructure sectors. We reviewed\n                   statutes and policies related to CIKR protection, as well as risk\n                   management documents. We did not evaluate the exact points\n                   where problems in NPPD or the Directorate of Management\n                   adversely affected the development of the IICS.\n\n                   We conducted 53 interviews, including discussions with 15 state\n                   homeland security offices and 31 experts representing 15 of the 18\n                   infrastructure sectors. We interviewed DHS branch chiefs,\n                   members of the Government and Sector Coordinating Councils,\n                   and other individuals with expertise in critical infrastructure\n                   protection policy. Additionally, we attended the 2008 Critical\n                   Infrastructure Protection Congress.\n\n                   To gain the perspective of PSAs, we created an online survey that\n                   was distributed to 75 PSAs. We received 63 responses, a response\n                   rate of 84%. Fifty-one of the 63 respondents, or 81%, had been\n                   PSAs for more than 2 years. Survey questions dealt with PSA\n                   perspectives on asset identification work and the overall risk\n                   management process. Results of the survey are discussed\n                   throughout the report; the survey appears in Appendix C.\n\n                   We conducted our review between July and October 2008 under\n                   the authority of the Inspector General Act of 1978, as amended,\n                   and according to the Quality Standards for Inspections issued by\n                   President\xe2\x80\x99s Council on Integrity and Efficiency.\n\n\n\n\n                 Efforts to Identify Critical Infrastructure Assets and Systems \n\n\n                                            Page 39 \n\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n                Efforts to Identify Critical Infrastructure Assets and Systems \n\n\n                                           Page 40 \n\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n                Efforts to Identify Critical Infrastructure Assets and Systems \n\n\n                                           Page 41 \n\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n                Efforts to Identify Critical Infrastructure Assets and Systems \n\n\n                                           Page 42 \n\n\x0cAppendix C\nThe Survey of Protective Security Advisors\n\n\nQuestion 1: How long have you been a PSA?\n\n              Less than 90 days                                                       1\n              3 to 6 months                                                           0\n              More than 6 but less than 12 months                                     1\n              1 to 2 years                                                           10\n              More than 2 years                                                      51\n\nQuestion 2: Regarding the annual List process, how do you judge the level of your\ninvolvement in vetting the information submitted by your state(s) to the Office of\nInfrastructure Protection?\n\n              I do not need to be more involved in helping states\n              create asset lists                                                     28\n\n              IP should ensure that I am more involved in helping\n              states create asset lists                                              33\n\nQuestion 3: Which statement below best expresses your view on the preferred level of\nprivate sector involvement in the vetting of list submissions and the review of the\nsectors\xe2\x80\x99 criticality criteria?\n\n              The private sector does not need to be more involved in\n              the vetting of assets and the review of criteria                        8\n\n              Some additional private sector involvement in these\n              areas would be useful                                                  32\n\n              A much greater level of private sector involvement is\n              necessary in these areas                                               21\n\nQuestion 4: Do states currently have sufficient opportunity to suggest revisions to the\ncriticality criteria that IP provides to help guide list submissions?\n\n              Yes                                                                    21\n              No                                                                     30\n              I don\xe2\x80\x99t have an opinion                                                11\n\n\n\n\n                    Efforts to Identify Critical Infrastructure Assets and Systems\n\n                                               Page 43\n\x0cAppendix C\nThe Survey of Protective Security Advisors\n\nQuestion 5: Based on the choices below, what statement best reflects your view of the\ncompleteness of the data that states submit for purposes of populating the CIKR lists?\n              States are able to submit very complete data             13\n\n              If there are problems with incomplete list submissions,\n              these concerns are minor and are not a long-term issue                 17\n\n              IP needs to take significant steps to ensure that states\n              are submitting more complete list submissions                          25\n\n              I don\xe2\x80\x99t have an opinion on this matter                                 6\n\nQuestion 6: On a scale of 1 (poor) to 5 (excellent), how do you rate the value and\ncompleteness of the current list criticality guidance provided by IP to states?\n\n              1                                                                       5\n              2                                                                      15\n              3                                                                      15\n              4                                                                      20\n              5                                                                       3\n\nQuestion 7: On a scale of 1 (poor) to 5 (excellent), how well does the current process\ninform and improve overall risk management (grant funding, site visits, security\nimprovements, etc.)\n\n              1                                                                       4\n              2                                                                      14\n              3                                                                      22\n              4                                                                      14\n              5                                                                       0\n\nQuestion 8: On a scale of 1 (poor) to 5 (excellent), how do you rate the current efforts\nto ensure that \xe2\x80\x9csystems-based sectors\xe2\x80\x9d (e.g., food/agriculture, energy, banking/finance)\nare represented in the lists, in addition to sectors based more on fixed assets (e.g.\nnuclear, commercial facilities, dams)?\n\n              1                                                                       7\n              2                                                                      19\n              3                                                                      21\n              4                                                                       8\n              5                                                                       4\n\nQuestion 9: Section 1001 of the 9/11 Commission Act allows, but does not require,\nDHS to establish a National Infrastructure Protection Consortium, which may advise\n\n\n\n                    Efforts to Identify Critical Infrastructure Assets and Systems\n\n                                               Page 44\n\x0cAppendix C\nThe Survey of Protective Security Advisors\n\nDHS on \xe2\x80\x9cthe best way to identify, generate, organize, and maintain any database or list\nof systems and assets\xe2\x80\x9d created by DHS. Do you believe such a consortium would be\nbeneficial, or do you believe current relationships, committees, and processes are\nsufficient?\n\n              The Consortium mentioned in the Act should be\n              established because it could augment the work of\n              identifying CIKR assets and systems                                   31\n\n              The Consortium is not needed because existing\n              relationships and processes are sufficient in identifying\n              CIKR assets and systems                                   30\n\n\n\n\n                   Efforts to Identify Critical Infrastructure Assets and Systems\n\n                                              Page 45\n\x0cAppendix D\nMajor Contributors to this Report\n\n\n                    Douglas Ellice, Chief Inspector, Office of Inspections\n\n                    Darin Wipperman, Senior Inspector, Office of Inspections\n\n                    Kristine Odi\xc3\xb1a, Inspector, Office of Inspections\n\n\n\n\n                  Efforts to Identify Critical Infrastructure Assets and Systems\n\n                                             Page 46\n\x0cAppendix E\nReport Distribution\n\n                      Department of Homeland Security\n\n                      Secretary\n                      Deputy Secretary\n                      Chief of Staff for Operations\n                      Chief of Staff for Policy\n                      Deputy Chiefs of Staff\n                      General Counsel\n                      Executive Secretariat\n                      Director, GAO/OIG Liaison Office\n                      Assistant Secretary for Office of Policy\n                      Assistant Secretary for Office of Public Affairs\n                      Assistant Secretary for Office of Legislative Affairs\n                      Under Secretary, National Protection and Programs Directorate\n                      National Protection and Programs Directorate Liaison\n                      Office of Infrastructure Protection Liaison\n                      Chief Security Officer\n\n                      Office of Management and Budget\n\n                      Chief, Homeland Security Branch\n                      DHS OIG Budget Examiner\n\n                      Congress\n\n                      Congressional Oversight and Appropriations Committees, as\n                      appropriate\n\n\n\n\n                  Efforts to Identify Critical Infrastructure Assets and Systems \n\n\n                                             Page 47 \n\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this report, please call the Office of Inspector General (OIG) at (202) 254-4199,\nfax your request to (202) 254-4305, or visit the OIG web site at www.dhs.gov/oig.\n\n\nOIG HOTLINE\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal\nmisconduct relative to department programs or operations:\n\n\xe2\x80\xa2 Call our Hotline at 1-800-323-8603;\n\n\xe2\x80\xa2 Fax the complaint directly to us at (202) 254-4292;\n\n\xe2\x80\xa2 Email us at DHSOIGHOTLINE@dhs.gov; or\n\n\xe2\x80\xa2 Write to us at:\n       DHS Office of Inspector General/MAIL STOP 2600,\n       Attention: Office of Investigations - Hotline,\n       245 Murray Drive, SW, Building 410,\n       Washington, DC 20528.\n\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'